In the Active Directory Object Restore Wizard functionality, we do not support the Active Directory forest-level recovery (e.g. when domain controller crashes), because the right forest recovery is a manually intensive operation and per Microsoft's recommendation, professional service team should be engaged to facilitate and this operation should not be performed in-house, especially with 3rd party tools. There is a risk of discontinued support and/or lack of any integrity or stability guarantees.

Invasive agent technologies: do Netwrix products require the use of such technologies to gather data?

Netwrix offers both agentless and agent-based audit data collection. A non-intrusive lightweight agent technology is employed and does not "hook" into the domain controller core. Instead uses only well-documented mechanisms supported and recommended by Microsoft and other vendors (such as VMware). Netwrix agents are used mostly for network traffic compression to improve performance and require zero deployment efforts, nearly equivalent to agent-less data collection.

Competing solutions may claim that not making any use of native auditing is a benefit and this is not true. By not taking advantage of native auditing, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability and support problems should a normal system update disrupt the custom agent.
Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient.

Netwrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry. This is done by combining multiple streams of data to compose each change record such as snapshots, event logs, and trace logs. It does not impose additional resources or storage requirements instead adding value by combining stable native events and log activity with Microsoft approved approaches that present no stability risks to the host system.

Agents in Netwrix products are 100% optional and no functionality is lost by not using them.

What makes the Netwrix approach more accurate than its alternatives?

Employed in all of our tools, Netwrix AuditAssurance™ technology is an innovative combination of multiple audit trails with snapshot-based audit data collection, making it nearly impossible to omit any audit events that take place and even when events are not recorded to audit logs. Snapshots also provide the additional benefit of acting as a backup with the ability to facilitate restore functionality.

Competing solutions may claim that not making any use of native auditing is a benefit and this is not true. By not taking advantage of native auditing, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability should a normal system update disrupt the custom intrusive agent.

Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient. Netwrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry.

This is done by combining multiple streams of data to compose these change records and does not impose additional resources or storage requirements and instead adds value by combining stable native event log activity with Microsoft approved approaches that present no stability risk to the host system. Only changes are written to the database and not the full events. This serves to further improve performance and make efficient use of storage.

Does Netwrix use of native event logs carry any performance or stability disadvantages?

No. Using native event logs is a tremendous benefit that does not carry any performance or stability risks whatsoever. By not using native logging, the use of intrusive agents are required that in essence replace the native functionality with a proprietary one. This may risk system stability should a normal system update disrupt a custom agent. Furthermore, it can be falsely perceived that using native events requires additional resources, and contributes to maintaining unnecessary log events rendering the final output as inefficient. Also, one common issue with proprietary agents if when they fail to start or crash, the auditing stops completely, which is not the case with native auditing, which cannot be stopped (because it's built-in into the OS core) and it never fails; too simple to fail.

Netwrix uses AuditAssurance™ technology to consolidate and normalize only the important data for each event into a single, human-readable data entry. This is done by combining multiple streams of data to compose these change records and does not impose additional resources or storage requirements instead adding value by combining stable native event log activity with Microsoft approved approaches that present no stability risk to the host system.

This is done using not only event logs and Exchange events but also audit trails such as Active Directory replication, trace logs and snapshots. Only changes are recorded and no redundant full events which further serves to make efficient use of storage and reduces resource utilization.

Native auditing: does it capture excessive amounts of 'noise' that will render reports unreadable?

Not true. All Netwrix products use AuditAssurance™ technology and audit settings that only use what is needed, eliminating redundancy and prunes this raw data for only the information that is of value making report output entirely human-readable. This method of capturing data is far superior to native capabilities without any compromises in performance.

Furthermore, Netwrix provides the centralized storage and reporting capabilities that are missing from native auditing. As well, native auditing cannot capture before and after values, for example, if a Group Policy is changed, or file permissions are modified, or a group membership changes. No noticeable audit data ‘noise’ is captured because the technology removed it long before reaching storage including any redundant information related to events and changes.

Installation time: does Netwrix software require hours or days to implement?

No. 10-minutes are all that is needed to install Netwrix software provided that the required auditing settings were implemented using the included wizards with each product and SQL Server is installed in advance.

Professional services: does Netwrix software installation require contracting professional services?

Protection of critical objects: does Netwrix offer it?

Anyone who has rights to modify or delete an object can do so and to claim that objects or settings can be protected is inaccurate. Claims of protecting objects often require intrusive agent solutions that 'hook' into the Windows API to prevent an object from being deleted or modified, however, this is not a security feature simply because having the rights to disable or tamper with these same agents can negate any benefit they may claim to provide.

Native Windows mechanisms can deliver object protection simply via a standard 'deny' setting, however, with the proper rights, these protections can also be circumvented thus making any claims of object protection misleading.

The only exception to this is the Windows 2008 Active Directory object protection feature however this is only available for newly created objects. Netwrix plans to add simplified object protection management based on natively available mechanisms into its product lines in the future.

Some vendors claim that native logs can be easily purged or overwritten and are less secure?

Native event logs can be deleted and so can proprietary ones. So long as the user has permissions over the file system, any log (or locally cached log data) can be deleted and to claim otherwise is entirely misleading. To address event log overwrites, Netwrix Event Log Manager supports the native Windows auto-backup feature for logs once enabled so no events are lost. Netwrix also reports on event log clean-up activity.

Real-time alerting: does Netwrix provide such capabilities?

Yes. Netwrix offers real-time reporting on object changes or deletions. Implementing real-time alerting traditionally requires intrusive methods that require a continuous, steady burn of resources including processor time and network bandwidth. For these reasons, this method of facilitating real-time alerts is inefficient.

Netwrix delivers real-time alerting capabilities using a far more sensible and efficient approach. Real-time alerting is resource intensive which is why the Netwrix approach instead schedules real-time alerting of events in 10-minute intervals. This means resources are not constantly being dedicated to alerting operations saving the resource overhead to deliver them. By doing so, alerting operates within the existing managed flow of event analysis consuming no additional resources.

Additionally, 10-minute intervals are far more practical for busy environments. Flooding e-mail and text messages with instant alerts is a gross misuse of time and resources when the same intelligence can be delivered with a timed delay that uses no additional overhead with functionally identical results. This becomes especially true in large environments where hundreds of alerts could trigger each day and only enough staff to respond to a portion of them.

No. Native auditing is not enough. AuditAssurance™ technology developed by Netwrix aims to ensure no event goes unmonitored. To achieve this goal, it is essential to acknowledge no native auditing of any kind is 100% accurate and reflective of all changes. While some native auditing is robust and detailed, only combining all the available streams of auditable information can guarantee the integrity of changes.

Our technology combines these multiple streams of information into human-readable form eliminating the typical 'noise' associated with log and audit events accurately and efficiently. SIEM solutions that attempt to claim that native-only logging is superior or even sufficient is untrue.

" After all, knowing what´s changed doesn´t do us much good unless there is also a quick and easy way to roll back those changes, and the Netwrix solution gives you that, with "no fuss, no muss". - Deb Shinder, WindowSecurity.com